Overview
- Google shipped emergency Chrome 149 updates on Monday that fix 74 vulnerabilities and confirm an exploit is active for CVE-2026-11645, a high‑severity out‑of‑bounds read/write flaw in the V8 JavaScript engine.
- The patched builds are 149.0.7827.102 for Windows and Linux and 149.0.7827.103 for macOS, and Google says the rollout will reach users over days and weeks unless they force an immediate update.
- CVE-2026-11645 can let a crafted web page trigger heap corruption that allows code execution inside Chrome’s sandbox, and attackers often chain such bugs with sandbox escapes to gain greater access.
- Google credited an anonymous researcher identified as '303f06e3' for reporting the bug on April 27 and paid a $55,000 bounty for the responsible disclosure.
- This is the fifth Chrome zero‑day confirmed exploited in the wild in 2026, a string of incidents that reporters link to a surge in internally found flaws and increased use of AI tools for vulnerability discovery, which could accelerate future patches and bounty rule changes.